Blind quantum computation 



O 
O 

(N 

G 

(N 
> 

in 

as : 
o . 

m ■ 

o : 

^ ■ 

a,: 

^— > ■ 
c ■ 

s : 
cr 



X 



Pablo Arrighi^Q and Louis Salvail 2 '0 

1 Laboratoire Leibniz, Institut d'Informatique et de Mathematiques Appliquees de Grenoble (IMAG), 
CNRS UMR 5522, 46 Avenue Felix Viallet, 38031 Grenoble Cedex, France. 
2 BRICS, Department of Computer Science, University of Aarhus, 
Building 540, Ny Munkegade, Aarhus C-8000, Denmark. 

We investigate the possibility of having someone carry out the work of executing a function for 
you, but without letting him learn anything about your input. Say Alice wants Bob to compute some 
known function / upon her input x, but wants to prevent Bob from learning anything about x. 
The situation arises for instance if client Alice has limited computational resources in comparison 
with mistrusted server Bob, or if x is an inherently mobile piece of data. Could there be a protocol 
whereby Bob is forced to compute f(x) blindly, i.e. without observing xl We provide such a 
blind computation protocol for the class of functions which admit an efficient procedure to generate 
random input-output pairs, e.g. factorization. The cheat-sensitive security achieved relies only upon 
quantum theory being true. The security analysis carried out assumes the eavesdropper performs 
individual attacks. 
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I. INTRODUCTION 

In the traditional secure two-party computation 
scenario 0, EI Alice has secret input x, Bob has secret 
input y, and both of them wish to compute f(x,y). 
The function / is of course well-known to the two 
parties; the usual example is that of two millionaires 
who wish to compare their wealth without disclosing 
how much they own[Tl|. Most protocols for secure 
two-party computation are symmetric with respect to 
the computing power each party should carry out during 
the execution. In these scenarios, if Alice knew Bob's 
input y she could compute f(x,y) on her own without 
having to invest more computing power. Entering a 
secure two-party computation together with Bob will 
in general not help in diminishing Alice's computing 
power needed to evaluate /, and this is simply not the 
aim pursued. In fact, all implementations known by 
the authors of this paper require both Alice and Bob 
to invest more computing power than what is needed 
for the mere evaluation of /. For instance in each 
gate performed by a party requires the other to per- 
form the same gate, together with some extra encryption. 

Unlike secure two-party computation, blind computa- 
tion is fundamentally asymmetric. Alice is the only party 
with a secret input x, Bob is the only one able to com- 
pute /. Alice wants Bob to compute f(x) without him 
learning too much about x. Thus an obvious motivation 
for Alice to enter a blind quantum computation together 
with Bob is to unload the computational task of com- 
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puting / without having to compromise the privacy of 
her input. One could easily imagine this occurring in a 
Grid architecture, or in any client-server relation with 
a mistrusted server retaining the computational power. 
To make things more precise, suppose there were only 
a handful of fully operational large-scale quantum com- 
puters in the world, and some hungry academic decided 
to make use of her timeshare as scientist to crack some 
Swiss bank's RSA private key x. The hungry academic 
(Alice) will surely want to keep x secret from the au- 
thorities handling the quantum computer (Bob), so that 
she does not get suspected when subsequent international 
money transfers come to top up her meager income. But 
there may be other reasons to enter a blind computa- 
tion protocol than mere computational power asymme- 
try. For instance Bob may possess some trapdoor infor- 
mation about the otherwise well-known function /. Or 
perhaps x may represent some mobile agent's code which 
ought to be protected against the malicious host upon 
which it runs. Others may see blind quantum computa- 
tion as a somewhat philosophical issue: Is it possible to 
carry out some work for someone whilst being prevented 
from knowing what the work consists in? 

In the classical setting, blind computation has first 
been studied by Feigenbaum gg. It was shown that for 
some functions /, an instance x can be encrypted by 
z = Ek{x) in such a way that Alice can recover f(x) 
efficiently from k and f(z). The construction cannot be 
extended easily to general classes of functions. In particu- 
lar, blind computation of the discrete logarithm function 
(DLF) was shown possible but no blind computation of 
the RSA factoring function (FACF) is known. The infi- 
nite complexity hierarchy P C NP = NP $ C NP NP C 
g NpNP NP q (where NP C stands for the class 
of language recognizable in non-deterministic polynomial 
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time provided access to an oracle for problems of class C) 
is called the polynomial-time hierarchy. It is widely be- 
lieved that every level in the polynomial-time hierarchy 
is strictly contained in the next one. However, proving or 
disproving this statement would be a major breakthrough 
in complexity theory. Abadi, Feigenbaum, and Kilian 1] 
have shown that no NP-hard problem can be computed 
blindly unless the polynomial-time hierarchy collapses at 
the third level. We conclude that it is very unlikely that 
any NP-hard problem can be computed blindly in the 
classical setting. 

Even when computational assumptions are invoked 
|10|. none of the currently known classical blind com- 
putation protocols applies to general classes of functions. 
Rather they take advantage of specific algebraic prop- 
erties of particular functions. These constructions rely 
upon encryptions that are, in some sense, homomorphic 
with respect to function /. Clearly, very natural candi- 
dates for / are not known to have this property like for 
FACF. It is not surprising that such stringent require- 
ments do not necessarily hold when Bob is running a 
quantum computer. 

In this paper as in0,[(|, we are concerned with uncon- 
ditional security, that is we do not make any computa- 
tional assumptions upon eavesdropper Bob. Although we 
give Bob the opportunity to gain some Shannon informa- 
tion I about Alice's input x, we ensure that Bob's eaves- 
dropping gets detected by Alice with a probability which 
rapidly increases with /. Any server Bob who wants to 
remain in business should clearly avoid such an a pos- 
teriori detection. Our goal consists of finding protocols 
for blind computation for which a good tradeoff between 
Bob's ability to avoid being detected and the amount of 
Shannon information about Alice's input can be estab- 
lished. Almost privacy was recently studied by Klauck 
in a two-party computation setting which differs from 
the asymmetric scenario imposed by blind computations. 
Moreover, the security was only considered with respect 
to passive adversaries. We want our solution to apply 
to a wider class of functions than the one considered in 
the classical setting while being resistant to active adver- 
saries. As far as we can tell, blind quantum computation 
has not been studied as such so far. 

In section [H] we present the basic ideas of our blind 
quantum computation protocol, as well as the reasons 
which limit their use to a certain class of functions. In 
section lllll we review and adapt a recent result in the 
Information versus Disturbance tradeoff literature. In 
section IIVI we formalize the protocol and give a proof 
of its security. We conclude in section [V] and mention 
possible extensions of this work. 



II. PRINCIPLES OF A SOLUTION 

Let us now explain the basic principles underlying 
our blind quantum computation protocol. Suppose Al- 
ice wants Bob to compute f{x) whilst keeping x secret. 



Moreover suppose Bob possesses a quantum computer 
which implements /, i.e. he is able to implement a uni- 
tary transform U such that U\q)\Q) = \q)\f {q)) for all in- 
puts, q. In order to achieve her purpose Alice could hide 
her true input \x) amongst superpositions of other poten- 
tial inputs ^^j 9 ^ (which we later refer to as 'quantum 
decoys') and send all this to Bob for him to execute U. 
Now if Bob attempts a measure so as to determine \x) 
he will run the risk of collapsing the superpositions. Al- 
ice may detect such a tampering when she retrieves her 
results. The above suggestion has a weakness however: 

Alice is not returned ^ , but 

L M)+^) \ {]) = \T,f(q))+iW;fW)) 

the result of Bob's computation upon the superposition 
Alice had sent. Since Alice does not want to compute / 
herself she is in general unable to check upon the integrity 
of such states. To get an intuition of why this is consider 
the effects of tracing out the result register whenever f(q) 
is different from f(q'). 

TiA \q;f(g))+iW;f(q'))(q-J(q)\-iW;fW)\ ) 

= (|g)(g|Tr(|/(g)}(/(g)|)-i|g)(g'|Tr(|/( g )}(/(g')|) 

+ l W)(q\Tr(\f(q>))(f(q)\) + \ q >)(q / \Tr(\f(q>))(f(q / )\))/2 

= k)(q\ + W)W\ 

2 

In other words once such a trace-out has been performed 
the state is either \q) with 0.5 probability, or \q') with 
0.5 probability, i.e. it makes no difference whether Bob 
performed a measurement in the computational basis or 
not. 

There are many computational problems, however, for 
which this obstacle can be circumvened. For example say 
/ takes composite numbers into the list of their integer 
factors. Then Alice can easily (at the cost of a few multi- 
plications) prepare several input-output pairs {(q, f(q))}. 
Thus if Alice hides her true input \x) amongst superposi- 
tions '- generated in this manner, she will later be 
able to check whether ii^£M)±*jS JS& )) are indeed being 
returned. Formally the idealized class of functions for 
which our protocol will work is defined as follows: 

Definition 1 (Random verifiable functions) Let S 

and S' denote two finite sets. A function f : S — ► S' 
is random verifiable if and only if there exists, for all N, 
an efficient probabilistic process which generates N input- 
output pairs {(q, /(<?))} an d such that the inputs (the q's) 
are uniformly distributed in S . 

There are several promised problems for which we can 
define functions that are random verifiable. Consider the 
language RS A-composite which contains natural num- 
bers of a fixed size that can be expressed by the product 



3 



of two primes of the same size. The function / that 
returns the prime factors is also random verifiable. In 
this case, / can be computed efficiently on a quantum 
computer but not, as far as we know, on a classical com- 
puter. Another example can be obtained from the graph 
isomorphism problem. Let L e ^ v be the set of all pairs 
of isomorphic graphs with e edges and v vertices. We 
define function / : L EtV i— > S e , where S e is the set of all 
permutations among v elements, as /(Go, G\) = a such 
that cr(Go) = G\. It is easy to verify that / is random 
verifiable. The following efficient classical computation 
does the job: 

• Pick a random permutation a G S e , 

• Generate a random graph Go with e edges and v 
vertices, 

• Output ((G ,ct(G )),ct). 

Although / is random verifiable by an efficient classical 
algorithm, it is not known whether even a quantum com- 
puter can evaluate / efficiently. 

In this paper, we provide a blind quantum computation 
protocol for random verifiable functions together with a 
thorough security analysis. The cheat-sensitive security 
achieved relies upon the laws of physics only. It is ex- 
pressed using the vocabulary of information theory. As 
was hinted in this section our analysis will crucially de- 
pend upon the tradeoff between Bob's information gain 
about Alice's true input (a canonical basis state) and the 
disturbance he induces upon superpositions of potential 
inputs (pairwise superpositions of canonical basis states) . 

III. INFORMATION GAIN VERSUS 
DISTURBANCE TRADEOFF 

Say Alice draws out a state from an ensemble of quan- 
tum states, sends it to Bob, and later retrieves it. How 
much information can Bob learn about the state, and 
what, then, is the probability that Alice can detect Bob's 
eavesdropping? Questions of Information Gain versus 
Disturbance tradeoff were first investigated by Fuchs and 
Peres 0, who considered a seemingly simple scenario 
involving two equiprobable non-orthogonal pure states. 
But the formula they obtained is relatively complex and 
the methods employed are somewhat difficult to export to 
our setting. In order to construct a blind quantum com- 
putation protocol we needed to quantify the disturbance 
upon pairwise superpositions of n-dimensional canonical 
basis states, as induced when Bob seeks to learn infor- 
mation about the canonical basis. A tradeoff formula for 
this problem was given in 0] • Proposition ^ rephrases 
this result in terms of induced fidelity and letting Bob 
and Alice be the same person. 

Scenario 1 (One quantum decoy) Consider a quan- 
tum channel for transmitting n- dimensional systems hav- 
ing canonical orthonormal basis {\j)}- 



Suppose Alice's message words are drawn out of the 
canonical ensemble {(1/n, \j))}j=i..ni whilst her quan- 
tum decoys are drawn out of the pairing ensemble 
{(1/n 2 , )}. Alice sends, over the quantum chan- 

nel, either a message word or a decoy, which she later 
retrieves. 

Whenever she sends a quantum decoy ^)-+^ k ) s /j e 
later measures the retrieved system with {Pintact = 

( •~7S ) > Ptamper = I ~ Pintact} SO as to check 

for tampering. 

Suppose Bob is eavesdropping the quantum channel, and 
has an interest in determining Alice's message words. 



Proposition 1 (One quantum decoy) 

Referring to Scenario and its formalization in Figure 
QJ suppose Bob performs an attack such that, whenever a 
message word gets sent, he is able to identify which with 
probability G (mean estimation fidelity). 
Then, whenever a quantum decoy gets sent, the proba- 
bility F (induced fidelity) of Bob's tampering not being 
detected by Alice is bounded above under the following 
tight inequality: 

F <l + ^(^G+V(n-m-G)) 2 (1) 

For optimal attacks G varies from — to 1 as F varies 
from 1 to § + ^_. 

Now imagine that Scenario ^ gets repeated N times 
round, and that Alice happens to send only decoys. 

Scenario 2 (N Quantum decoys) 

Step 0. Alice prepares a pool of N + 1 quantum states 
consisting of one message word together with N quantum 
decoys. 

Step 1. Alice sends Bob one quantum state drawn at 



FIG. 1: One quantum decoy. 

A : Draw t in T = {(p, go), (1 — p, nogo)} 

A: lit = go draw s = m in M — {(1/n, |j))}i=i..n 

A: lit = nogo draw s = din D = {(1/n 2 , — + ^ )} 

V2 

A: s — > B 

B : Drawls' in X, S = {(\ \ M x s\ \ 2 , \x) <8> M x s/\ \M x s\\} x 

with {M x } a generalized measurement. 
B : s' — ► A 

A: lit = go draw y in Y — {(0, tamp), (1, notamp)} 
A: lit = nogo draw y in 
Y = {(\\Ptam. P ers'\\ 2 , tamp), (\\Pi„tacts'\\ 2 , notamp)} 

with. Ptamper — I Pintact ; Pintact — SS . 
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random amongst those remaining in the pool. 

Step 2. Alice awaits to retrieve the quantum state she 

sent. 

Step 3. If Alice sent a quantum decoy she measures the 
retrieved system so as to check for tampering. 
Step 4- If the pool is empty Alice stops the protocol, else 
she proceeds again with Step 1. 

Step 5. Alice publicly announces the position p at which 

she sent her message word. 

This scenario is formalized in Figure^ 



FIG. 2: N QUANTUM DECOYS / INDIVIDUAL ATTACKS 

A : draw p in P = {(1/(N + l),i), } i=0 ...jv 
For r = . . . N : 

A: If r / p draw t in T = {(1, go), (0, nogo)} 
else draw t in T — {(0, go), (1, nogo)} 

A: If t = go draw s = m in M = {(1/n, \j))}j=i..n 

A: If i = nogo draw s — d in 

C = {(l/n 2 ,^±J^)} 

A : s — ► B 

B : Draw x r , s in 

X,S= {(||MW S || 2 , |x) ® MM s /j|Mi r) s ||} r 

with, for all r, {M< r) } 

a gen. mesurement upon a bipartite system. 
B : s' — ► ,4 
^4 : If t — go draw y r in 

F = {(0, tamp), (1, notamp)} 
A: If t = nogro draw y r in 

^ = {{\\Ptam P ers'\\ 2 , tamp), (\\Pi„tactv\\ 2 , notamp)} 

with. Ptamper — H ~ Pintactt Pintact — SS . 

A:p — ► B 

B : guess = f p (x , . . . , x N ) 



Corollary 1 (N quantum decoys/individual attacks) 

Referring to Referring to Scenario suppose Bob only 
performs individual attacks, i.e. independent of each 
other at each round, as formalized in Figure^ 
The probability of Bob reaching round m (0 < m < N) 
without being caught tampering is bounded above under 
the following tight inequality: 

m— 1 

p(Bob reaches m) < J| F(Gi) (2) 

i— l,i^p 

where Gi stands for Bob 's mean estimation fidelity, if p 
is announced equal to i, about the message word sent at 
round p. 



Proof. Within the for loop of Figure [5] the scenario 
which gets repeated is exactly that of Figure^ for which 
Proposition ^ applies independently at each round. □ 
In the above scenario Bob's attacks are somewhat 
memoryless. Bob's measurements do not depend upon 
previous outcomes nor upon any ancilla quantum system 
which he might keep throughout the protocol. This is 
what enables us to apply Proposition^at the level of each 
individual transmission i.e. to assume that that the 
probabilities {p(Bob passing round i) — F{Gi)}i = \..N 
are independent from each other and hence that that 
Bob's chances of not being detected at all are bounded 

byn„i..^(G,)- 

Now say Bob was to keep an ancillary quantum sys- 
tem entangled with a quantum decoy sent at a previ- 
ous round, and then perform a coherent quantum mea- 
surement upon another quantum decoy and the ancillary 
quantum system at a later round - could this correlate 
his probabilities of getting caught in a favorable manner? 
We argue that it is not so in the following conjecture, by 
making use of a standard argument. Formal proofs of 
probabilistic security protocols are known to be an ex- 
tremely delicate matter requiring delicate notions of pro- 
cess equivalences. In quantum information theory such 
rigorous frameworks have not yet appeared and seem to 
be needed here - we will only provide the reader with a 
number of intuitions which strongly support our state- 
ment. 

Conjecture 1 (N quantum decoys/coherent attacks) 

Referring to Scenario \^ suppose Bob performs general 
attacks, i.e. which may depend from each other at every 
round, as formalized in Figure^ 

The probability of Bob reaching round m (0 < m < N ) 
without being caught tampering is bounded above under 
the following tight inequality: 

m— 1 

p(Bob reaches m) < F{Gi) 

where Gi stands for Bob 's mean estimation fidelity, if p 
is announced equal to i, about the message word sent at 
round p. 

The following arguments support our claim. Note that in 
this Figure |21 we allow Bob to perform the most general 
attack possible: his generalized measurements {M^} 
depend upon the round r; they may entangle the an- 
cillary quantum system a to the state sent by Alice s for 
later use (thus the systems a' and s' may be entangled); 
they may depend upon previous measurement outcomes 
via the contents of the ancillary quantum system a; or 
they could keep a entangled but unmeasured until the 
final round provided that for r < N the statistics of 
{M^} do not depend on a. We now reason by con- 
tradiction. 

Suppose p(Bob reaches m) > n2=ii/p F{Gi). Then 
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FIG. 3: N QUANTUM DECOYS / COHERENT ATTACKS 


A 


draw p in P = {(1/(N + l),i), } i= o...jv 


B 


a = ip 


For r = . . . N : 




A : If r p draw f in J = {(1, go), (0, nogo)) 
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A: s — > B 




B : Draw x r ,s ,a in 
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a gen. mesurement upon a bipartite system. 




B : s' — ► ,4 




A : If t — go draw i/ r in 




F = {(0, tamp), (1, notamp)} 




A : If i = nogo draw y r in 




Y = {(\\P t ampers'\\ 2 , tamp), (\\P intact v\\ 2 , notamp)} 




with Ptamper I Pintacti Pintact SS . 




B : a = a 


A 


p — > B 


B 


guess = f p (xo, ■ ■ ■ ,xn) 



there exists a k for which 

fc-i 

p(Bob reaches k) < F{Gi) and 

i—l,i^p 
k 

p(Bob reaches fc+1) > J] F(Gi). 

i— l,i^p 

For such a fc we thus have 

p(Bob reaches fc + l|Bob reaches k) > F(Gk)- (3) 

In other words Bob, on the k th round, due to the state 
of the ancillary system a at this round, is capable of col- 
lecting mean estimation Gk about a message word whilst 
remaining undetected with probability more than F(Gk) 
upon a quantum decoy. However a is absolutely uncor- 
rected with s for our purpose, because: 

• the quantum decoys and the message words are 
undistinguishable since (l/n 2 ) Yljk(\j) ~ 
i(k\) = (1/n) J2i Hence a cannot hold any in- 

formation about whether the message word is sent 
at round fc; 



• the quantum decoys are picked up independently 
from one another and independently from the mes- 
sage words, hence if the message word is sent at 
round k, a does not hold any complementary in- 
formation about the message word and does not 
modify Gk] 

• the quantum decoys are picked up independently 
from one another and independently from the mes- 
sage words, hence if a quantum decoy is sent at 
round k, a does not hold any complementary infor- 
mation about the subspace of the quantum decoy 
which needs to be preserved and hence does not 
modify F{G k ). 

In other words Bob could have, for the purpose of 
optimizing his information gain versus disturbance 
tradeoff at round k, come up with just as good an a 
by playing the first k — 1 rounds of the protocol with 
Charlie instead. Hence the situation at round k is in 
contradiction with Proposition ^ ^ 

The next section also makes use of the following math- 
ematical result, whose direct proof was shown to us by 
Prof. Frank Kelly. 

Lemma 1 (Concavity of circular products) 

Consider f : [0, 1] — > [0, 1] a concave, continuous 
function and {xj}i=i...jv+i a set of real numbers in the 
interval [0, 1] . 

Suppose the sum t = 52 i= ^ x i * s fixed- We have 

N+l i=jV+l N 

TfTiEt n /W)*/(j£l) ■ 

p—1 i—l,i^p 

Proof. By definition of concavity one has 

\{f{xi) + f{x 2 ))<f{^^) (4) 

and f{ Xl )f( X2 )<f(^l), (5) 

where the latter equation trivially derives from 
f(x 1 )f(x 2 ) < ( /(3:i) + /(x2) ) 2 . Let us now show that 

N+l i=N+l N+l i=N+l 

jr+i e n /(*o * —) e n ( g ) 

p— 1 i—l,i^p P—1 i—\,i^p 

where j/i = y 2 = Xl 1 2 X2 and j/j = X{ for i — 3 . . . N + 1 . 
This result is in fact obtained by combining (summing) 
two inequalities: 

JV+l N+l 

(f(xi) + f(x 2 )) n f(xi) < (f( yi ) + f( V2 )) n f( Vi ) 

i—3 i—3 

fixjfix^ II /(**)< n 

p— 3 i—3.i^p p—3 i—3 : i^p 
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where former stems from Equation @ and f(x) posi- 
tive, whilst the latter stems from Equation JSJ and f(x) 
positive. 

Equation © expresses the fact that, whenever two el- 
ements Xi and Xj, i ^ j are replaced by their mean, the 
value of 



7r(x) 



N 



N+l i=N+l 

-iXi n /< 



is increased. Now let us define {x^} a sequence of 
vectors such that afW = (xi,x%, . . . ,xn+i), and x^ k > is 
formed from x^—i) by replacing both the largest and the 
smallest component by their mean. As k goes to infinity 
this sequence of vectors tends to x^ = ( jA^, j^rf, ■■•)■ 
By Equation © we have {tt(x^)} an increasing se- 
quence of real numbers. As k goes to infinity, and since 
7r(x) is continuous in x, this sequence of real numbers 
tends to 



t 



This limit must therefore provide, for all x having 
components summing to t, a tight upper bound on the 
value of tt(x). □ 



IV. PROTOCOL AND SECURITY 

We are now set to give our blind quantum computation 
protocol: 

Protocol 1 (Interactive version) Alice wants Bob to 
compute f(x) whilst keeping her input x secret. Here f 
designates a random verifiable function implemented on 
a quantum computer by a unitary evolution U . 

Step 0. Alice efficiently computes 2N random input- 
solution pairs (q,f(q)) and prepares a pool of N+l quan- 
tum states consisting of her true input \x) together with 
N quantum decoys ^^j 9 ^ . 

Step 1. Alice sends Bob one quantum state \ip) drawn at 
random amongst those remaining in the pool. 
Step 2. Bob supposedly computes U\ip)\G) and sends the 
result back to Alice. 

Step 3. If \ip) was a quantum decoy ^^l g ^ Alice mea- 
sures the retrieved system with 

{Pintaot = \(\q^{q))+^\q l f(cl l )))({qf{q)\-^{q l f{q l )\) 



Pi 



tamper 



p„ 



so as to check for tampering, tampering she stops. If 
on the other hand \ip) was her true input Alice reads off 
/(*)■ 

Step 4- If the pool is empty Alice stops the protocol, else 
she proceeds again with Step 1. 



Quantum theory is helpful for detecting observation by a 
mistrusted party through the induced disturbance. For 
this reason quantum cryptography has seen the rise of 
cheat- sensitive protocols where 'Either party may be able 
to evade the intended constraints on information transfer 
by deviating from these protocols. However, if they do, 
there is a non-zero probability that the other will detect 
their cheating' . When the probability of detecting the 
cheating is one, the protocol may also be referred to as 
cheat-evident [5|]- 

The security of our protocol is cheat-sensitive, as is rig- 
orously described and quantified in the following claim. 
The security of our protocol may also be referred to as 
cheat-evident, in the sense that Alice's detection proba- 
bility tends to 1 in the limit where N tends to infinity. 
Moreover for a fixed information gain by Bob, Alice's de- 
tection probability approaches 1 exponentially with N. 

Claim 1 (Statement of security) Referring to Pro- 
tocol Q| suppose Bob has no a priori information about 
Alice's true input x. Let I G [0,log(n)] be Bob's mutual 
information about Alice's true input x at the end of the 
protocol. Let D £ [0,(1/2)^] be the probability of Alice 
detecting Bob's tampering. Provided that Bob makes only 
individual attacks, the protocol ensures that VG £ [— , 1], 

[I = log(n) + log(G) =s> D > 1 - F(G) N ] . 
Hence we have equivalently 

D > 1 _^(2 / - 1 °g(")) Ar . 

Proof. 

We prove that the claim holds for a weakened form of 
Protocol n where we add: 

Step 5. Alice publicly announces the position in which 
she sent her true input \x). 

Until this stage, however, Bob has no means of know- 
ing at which round true input \x) was sent. This is 
because we have assumed he has no a priori knowledge 
about the true input. In his view the state was drawn 
from the canonical ensemble {(l/n, |j))}j=i..n, whilst the 
quantum decoys were drawn from the pairing ensemble 
{(l/n 2 , )}) but the two are undistinguishablc for 

they both have density matrix l/n. We are, therefore, in 
the precise case of Corollary^ Without loss of generality 
we can assume Bob's attack yields him mean estimation 
fidelity G; about Alice's true input whenever the position 
is later announced equal to i. Let G = J2 P G p /{N + 1). 

First we prove that [7 = log(n) + log(G) => G > G]. 
Say the true input is at position p. In this situation 
Bob's best chance of guessing the true input is G p (by 
definition) and thus his Shannon uncertainty H p about 
Alice's true input is bounded as follows 

Hp = —p(x\Bob's outcome) log(p(x|Bob's outcome)) 
> -L^JG p log(G p ) - (1 - L-^JG p )log(l - L^JG P ) 



> 



•p 

log(G p ) 
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The RHS of the last line is often referred to as the 'min- 
entropy' sometimes denoted and is commonly used to 
bound uncertainties in the above manner (i.e. Shannon 
uncertainty is always at least H^). As a consequence 
Bob's mutual information I p satisfies 

I P < log(n) +log(G p ). 

Averaging over all possible positions p — 1 . . . N+l Bob's 
mutual information satisfies 

N+l 



P =i 



< log(n) + 



N+l 



i 



P =i 



< log(n) + log(G) 

where the third line was obtained using the concavity of 
x i— > log(x). Hence we have 

/ = log(n) + log(G) < log(n) + log(G). 

Since x i— > log(a;) is crescent we conclude that G < G. 

Second we prove that [G > G ^ D > 1 - F(G) N }. 
Since we have assumed individual attacks Corollary ^ 
applies, and so Bob is undetected with probability 

N+l 

p(undetected|p) < JJ F(G l ). 

i—l^i^p 

Let us now average the above over all possible positions 
p = 1 . . . N + 1. The probability that Bob's tampering 
remains undetected by Alice satisfies 

1 N+l 

p(undetected) = — — - ^ p(undetectedjp) 

+ P =i 

N+l N+l 

n mi) 



<F(G) 



N 



D> l-F(G) 



N 



where the third line was obtained using Lemma ^upon 

the concave, continuous function x i— > F(x). Since x <— > 

I \ N — 
1 — F[xj is crescent and G > G we conclude that 

D>1-F(G) N > 1 — F(G) N . 

□ 

Protocoinrequires N+l communications between Al- 
ice and Bob. One could suggest a modification whereby 
Alice would send Bob her whole pool (as prepared in Step 
0), and later proceed to check upon the integrity of each 
element of the pool which Bob returns, apart from her 
true input. Formally this yields the following protocol: 



Protocol 2 (Non-interactive version) Alice wants 
Bob to compute f{x) whilst keeping her input x secret. 
Here f designates a random verifiable function imple- 
mented on a quantum computer by a unitary evolution 
U. 

Step 0. Alice efficiently computes 2N random input- 
solution pairs (q, f(q)) and prepares a pool of N + 1 
quantum states consisting of her true input \x) together 

with N quantum decoys ■ 

Step 1. Alice sends Bob the large quantum state 
^il^ 1 IV'i) consisting of a random permutation of all 
elements of the pool. 

Step 2. Bob supposedly computes ^tfj^ 1 U\ipi) |0) and 
sends the result back to Alice. 

Step 3. For each location i, if \4>i) was a quantum decoy 
iiH^g ) Alice measures 

V 2 

{P mtact = l{\q;f(q)}+i\q';f( q ')})({q;f( q )\-i{q';f( q ')\) 

Ptamper — I Pintact } ■ 

so as to check for tampering. If on the other hand \ipi) 
was her true input Alice reads off f{x). 



When Bob is restricted to individual attacks (non- 
coherent attacks, i.e. Bob measures each quantum state 
in the pool individually) then Claim2]holds also for Pro- 
tocol |2l We omit the proof of this since it is similar, and 
in fact simpler than the one given for Protocol ^ Now 
suppose Conjecture ^ was verified. This would immedi- 
ately entail that Claim holds also for coherent attacks 
for Protocol CI Hence we believe that Protocol H can re- 
sist the most general attack. A thought-provoking ques- 
tion is whether this is still the case of Protocol [21 Is it 
the case that interactivity contributes, to some extent, to 
a limitation of Bob's possible attacks? 



V. CONCLUDING REMARKS 

We have investigated the possibility of having some- 
one else carrying out the evaluation of a function for you 
without letting him learn anything about your input. We 
gave a blind computation protocol for the class of func- 
tions which admit an efficient procedure to generate ran- 
dom input-output pairs. The protocol relies upon quan- 
tum physical information gain versus disturbance trade- 
offs 3] to achieve cheat-sensitive security against individ- 
ual attacks: whenever the server gathers log(n) + log(G) 
bits of Shannon information about the input, he must 
get caught with probability at least 1 — F{G) N (where n 
denotes the size of the input and N is a security param- 
eter). Moreover the server cannot distinguish a weary 
client who uses the blind computation protocol (sending 
one true input amongst N decoys) from a normal client 
who simply makes repeated use of the server (sending 
N + l true inputs). Thus if the server wanted to deny 
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his services to suspected users of the protocol, he would 
also have to refuse the normal clients. We have conjec- 
tured that the same security properties hold for general, 
coherent attacks. 

Our protocol could be improved in several directions. 
In terms of costs one may hope to reduce the set of quan- 
tum gates needed by Alice to prepare her transmissions 
P| ; lower the size of the transmissions; lower the number 
of rounds required. We leave it as an open problem to 
find the security properties of the non-interactive version 
of our protocol when Bob is allowed coherent attacks. 
In terms of functionality one may wish to achieve tam- 
per prevention (preventing Bob from learning about x 
ever) rather than tamper detection (preventing Bob from 
learning about x without being detected, i.e. cheat- 
sensitiveness) . Protocol n provides the latter to some 
degree, since its interactivity allows Alice to avoid send- 
ing her true input x whenever she detects tampering upon 
her quantum decoys in the previous rounds. However we 
have not provided an analysis for a tamper-prevention- 
like security property. Another challenge would be to 
extend/identify the class of functions admitting a blind 
quantum computation protocol. This may have conse- 



quences in quantum complexity theory, as was the case 
in the classical setting For instance if one was to 
prove that the blind quantum computation protocol had 
no interest as a secure way of discharging Alice compu- 
tationally - because all the random verifiable functions 
turn out to be easy to perform on a quantum computer 
- then random verifiability would impose itself as an ele- 
gant property for the quantum polynomial class. 
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